Windows NT Security Fact of the Day Built-In Anonymous User Back Door --------------------------------------------------------------------------- Topic Area: Attacks --------------------------------------------------------------------------- Following is text from an advisory sent to the NTBUGTRAQ and NT Security mailing lists by David LeBlanc. A simple one-sentence summary: Allowing "Everyone" access to shares and the Registry allows remote anonymous access, even with Guest disabled. For more information on the NTBUGTRAQ Mailing List. The lists at ISS, including the NT Security List, are available. From: David LeBlanc Subject: BUILT-IN ANONYMOUS USER BACK DOOR Date: Sat, 19 Apr 1997 19:52:28 -0400 The following is a summary of what has been discovered regarding this vulnerability: 4/19/97 BUILT-IN ANONYMOUS USER BACK DOOR ISS Advisory Problem: A very serious security vulnerability in Windows NT has been discovered and knowledge of it has been made publicly available. Affects: Any Windows NT host on a network. Description: An MWC exploit which demonstrates a security hole in Windows NT has been released. The demonstration reads the registry of a remote machine, and lists the users and shares, even if the currently logged in user has no legitimate access to the target machine. The exploit can be obtained from http://www.ntsecurity.com. The source of the problem is the built-in user known as "anonymous". This user is used by Windows NT for machine to machine communication, and was not previously known to have access to any resources. However, now that it has been demonstrated to be able to access Windows NT resources, it is important to note that "anonymous" is a member of the "everyone" group. This has a number of implications: 1. Any Windows NT machine which has NetBIOS bound to the network can have registry information read or written to the extent that the "everyone" group has access. The full extent of this problem will be explained below. 2. The application and system logs (but not the security logs) can also be read. 3. Any file share with access to "everyone" (which is the default) can also be accessed. 4. Lan Manager calls can be used to enumerate all of the users on the machine, determine which user is the administrator (even if renamed), and list all of the shares. The extent of the problem with the registry is as follows: 1. Most of the keys which are created on install are properly secured, even from everyone. Under a default scenario, everyone does not have permissions to write to most of the registry, and if they do, it is normally only to create sub-keys, not write values. One possibility which was raised was that perhaps shares could be added via the registry - the default permissions will not allow this. It is not good thing to let an intruder read the Windows NT registry, but it is a much more severe problem to allow it to be written. 2. Just about ANY software installed after OS install will not have correct permissions, and are FULLY writable by everyone. It is suspected that this is because the install scripts expect to be installing into Win95, which has no concept of security. This has been observed with file permissions as well. It would be _very_ possible to utilize this type of access to install trojans, and point applications like browsers, news and mail readers at trojans. For example: software\Clients\mail\Exchange\shell\open\command software\Microsoft\Windows\CurrentVersion\Internet Settings\Accepted Documents and a number of other items which could be subverted are writable. Solutions: 1. If a machine is directly connected to the internet, unbind NetBIOS services from the interface connected to the internet. This would be especially appropriate for Web and FTP servers. This is done by opening Control Panel, Networks, and choosing the Bindings tab. 2. ISS has written a small tool which changes "everyone" to "users" for an entire registry tree. The tool is everyone2users.exe, and is currently available from ftp://ftp.iss.net/everyone2users.exe and http://ntbugtraq.rc.on.ca/david.htm. Usage of the tool is: everyone2users [registry key to set permissions] It is recommended that this tool be run as follows: everyone2users software and everyone2users system\currentcontrolset\services 3. Evaluate the exposure of any file system shares to "everyone". This can be done by selecting properties of a share from explorer. The Windows NT version of the ISS Internet Scanner also detects shares which are set with full access to everyone, and can be obtained from http://www.iss.net/eval. It is unclear at this time how to prevent the users from being listed. It is expected that Microsoft will be patching the problem as rapidly as they can. It is our opinion that this is a serious vulnerability and immediate attention should be paid to preventing an intruder from exploiting this problem. The availability of a demo for this problem substantially reduces the amount of time it will take before the mechanism will become well known. There are also a number of tools which can help identify the extent to which the everyone group has access to a host - see http://www.somarsoft.com for several shareware tools which may be helpful. ----------------------------------------------------------- David LeBlanc | Voice: (770)395-0150 x138 Internet Security Systems, Inc. | Fax: (404)395-1972 41 Perimeter Center East | E-Mail: dleblanc@iss.net Suite 660 | www: http://www.iss.net/ Atlanta, GA 30328 | --------------------------------------------------------------------------- Original published: 23 April 1997 Last modified: --------------------------------------------------------------------------- Recommendations, corrections or discussion of the Fact of the Day can be directed to the list or myself as list owner. If there is a topic or question you would like to see answered in a Fact of the Day send your ideas to me. Comments are encouraged and welcome. --------------------------------------------------------------------------- Ken Jones NT-SECURITY-LIST Owner G021 Bedford x4873 kgjones@mail11.mitre.org --------------------------------------------------------------------------- [Image] [Image][Image] Return to Topic Area Index